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Components Examined 


EMS - Eiection Management System 

ADJ - Adjudication 

ICC - ImageCast Centrai 

ICP - ImageCast Precinct 

ICX - ImageCast X BMD 


Version 

5.5.12.1 

5.5.8.1 
5.5.3.0002 
5.5.3.0002 
5.5.10.30 


EAC/NASED Qualification 
Number Date 


DVS-DemSuite5 

DVS-DemSuite5 

DVS-DemSuite5 

DVS-DemSuite5 

DVS-DemSuite5 


5-A 1/30/2019 
5-A 1/30/2019 
5-A 1/30/2019 
5-A 1/30/2019 
5-A 1/30/2019 


The Democracy Suite 5.5-A (or D-Suite 5.5-A) is a modern voting system that is new to Texas, 
aithough D-Suite is in use in other states. A distinguishing feature is the extensive use of 
commerciai off-the-sheif components, or COTS components, to use the industry pariance. COTS 
components are standard hardware or software products, as opposed to custom-made 
components. 


For exampie, the D-Suite voting terminais are commerciaiiy avaiiabie Android tabiets that 
inciude the stand and the smart-card reader used for voter authentication. Simiiariy, the PCs, 
networking gear, hard drives, printers, and some scanners are COTS components. 


D-Suite Components 

ImageCast X (or ICX) is the name of the iine of voting stations, which aii share identicai 
software. The X in the name highiights the interchangeabiiity of the software and, in one case, 
even the tabiet hardware. 


For this examination. Dominion is oniy seeking certification of one member of the ICX iine - the 
ImageCast X BMD. (BMD stands for baiiot-marking device.) When a voter is finished making his 
or her seiections, the BMD prints the baiiot on the attached printer but does not save the voter's 
choices on the device. Since these devices do not tabuiate at aii, they do not need zero-tapes, 
precinct taiiies, or the iike. The printed baiiot must then be scanned before it is counted. Each 
baiiot contains the cast-vote record in two formats: a QR code (for use by the scanner) and a 
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printed, human-readable list (which can be visually verified by the voter). If there should be a 
question about whether the two match, it can be easily verified by scanning the QR code on the 
ballot and visually checking that it corresponds to the printed votes. 

The voting stations are COTS Android tablets; they must be placed in kiosk mode, which 
prevents access to the Android features during voting. 

Election setup, tabulation, and other related tasks are done with mostly COTS components and 
the proprietary EMS software. Most of the components are on a LAN (local area network), and 
no other devices are to be connected to that LAN. 

All election data and results are stored on self-encrypting hard drives and are also encrypted by 
the database software, Microsoft SQL Server. The hard drives are redundant (RAID 10^ 
meaning that each piece of data is stored on two separate hard drives, so nothing is lost even if 
one hard drive fails. There are two configurations, one that allows multiple client computers 
connected to a single server computer, and one where everything is on the same computer. We 
tested only the former, so the single-computer setup is not being certified. These computers run 
a hardened Windows operating system. 

Voting 

Election Setup. Election setup (such as entering races and assigning candidates to them) is 
done using a GUI (graphical user-interface) that is part of the Election Management System. 

Authentication for election setup and central-count administration. D-Suite uses two- 
factor authentication for administration. Access is granted only after both entering the correct 
PIN and presenting a token, which will be either an iButton (see photos) 
or a smart card, depending on the device. According to the vendor, an 
iButton is more durable than a smart card, but they serve the same 
purpose. In either case, the electronic token is created and encoded on 
the iButton or smart card using the Election Management System. 

Zero-total report. Zero totals are automatically printed by the scanners on paper tape. Note 
that no zero report is needed for the ballot-marking devices (BMDs). 

Ballot selection. Authorization to vote and ballot selection are done using smart cards 
generated by the Election Management System. A poll worker enters the ballot style, and the 
software writes it on a smart card in a secure way. The voter then takes the smart card to any 
voting station to vote. The voter cards are automatically cleared after voting, so they cannot be 
reused. Also, as a backup, a poll-worker card can be inserted into the voting station to allow 
manual selection of the ballot style. 
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Voting. Voting is done on the touch screen of the 
ImageCast X BMD, or ballots can be marked manually. 

Transfer Results. Vote totals are transferred from the 
ICP precinct scanner to central count using a removable 
memory device. 

Print precinct results. Precinct results are printed by 
the precinct scanner on paper tape. 

Straight party / crossover. Straight-party voting 
and crossover voting both work properly. 

Accessibility. Verification of accessibility is performed independently by the office of the 
Secretary of State, but the examiners had the opportunity to see the accessibility components. 

Comments 

The use of many COTS components should reduce the cost of D-Suite significantly. If this 
savings is passed on to the jurisdictions, then that's a very significant advantage. 

The optical scanner has a clever feature that appends to each ballot image an "audit mark" that 
records in plain text how the ballot was interpreted by the scanner. 

Although D-Suite can accommodate jurisdictions of all sizes, the client-server configuration 
submitted for certification has a minimum of one server and one workstation. We did not 
examine the single-computer configuration, which would be more appropriate for small counties. 

Problems Identified in the Prior Exam on January 16-17, 2019 

Crossover Votes. In the January exam we saw a problem with handling crossover votes after 
a straight-party selection. Dominion has fixed that problem. 

Adjudication results can be lost. In the January exam, during adjudication of the ballots in 
the test election, one of the Dominion representatives made a series of mistakes that caused the 
entire batch of adjudication results to be lost. We did not see this problem again during this 
exam, but the adjudication system is unchanged, so this vulnerability is still present. 

Recommendation: Certification should be denied. 

DRE station failure. Examiner Brian Mechler discovered in January that simply unplugging and 
reconnecting the cord that supplies power to the VVPAT from the Android tablet will usually 
cause the tablet to fail. Since Dominion is not submitting their DRE station for certification, this 
problem is not relevant to this exam. 

Voter May have to Start Over. In January the printer tray became ajar during voting, and the 
system did not notice until the voter attempted to cast his ballot. The system would not accept 
the ballot and all the voter's choices were lost. A poll worker card was required to clear the 
problem. In this exam, we were unable to reproduce this problem, so perhaps it was fixed by 
the software upgrade. 
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Concerns 

1. Installation is complex, error prone, and tedious. I counted 184 steps in their 
installation nnanual before deciding to estinnate the remaining steps. I estimate a total of about 
500 steps are required to install the software. I did not count steps that merely said something 
like "Click OK" or "Click Next." This installation manual is 412 pages long with an additional 23 
pages of front matter — contents, lists of figures, and the like. 

Some of these steps were quite simple, but some were lengthy with several "if" clauses. Here is 
a sample step: 

In the Command Prompt, run the following command, where X is the drive letter of the 
DVD-ROM drive where the Windows installation media is located: 

Dism /online /enable-feature /featurename:NetFx3 /All /Source:X:nsourcesnsxs 
/LimitAccess 

According to the Dominion representatives, there are eight Windows services that must be 
started in a certain order; however, the order that steps must be done is not the same as the 
order they appear on the menus of the Dominion product. 

The installation we witnessed took all day. Apparently, a mistake was made (accidently skipping 
one of the reboot steps) and the Dominion representatives, although clearly knowledgeable, 
were not able to recover before we broke for lunch. This was despite telephone consultations 
with other Dominion experts and the use of a troubleshooting guide that Dominion declined to 
make available to the examiners. Over lunch they decided to start the installation over, and it 
was successful the second time, finishing before the end of the day. Altogether, the installation 
took about 8 hours. 

Recommendation: Certification should be denied. 

2. Test Voting. During our voting test, we discovered that some party names and 
proposition text were not displayed, and one scanner was not accepting some ballots. These all 
turned out to be errors Dominion made in setting up the standard test election used by the 
Secretary of State. In the case of the scanner, it had accidently been configured not to accept 
machine-marked ballots. The other problems were caused by leaving some fields empty during 
election setup, something that the EMS software should not allow, or at least highlight. 

Recommendation: Certification should be denied. 

3. Misleading Message. The ballot-marking devices incorrectly informed voters that 
they were casting their ballots, when in fact they were only printing them. The ballots are not 
be counted until they were scanned on a different device. 

Recommendation: Certification should be denied. 

4. Disappearing Message. At one point while scanning ballots, something flashed on 
the display so briefly we could not read it. After several attempts to re-scan the ballot, we were 
able to discern that it was a message reading "Ambiguous Marks" that was displayed for a 
second or less. It then reverts to the "System Ready" message. The voter has no way of 
knowing what, if anything, is wrong since the error message does not persist long enough to 
read it. 
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Furthermore, the message is confusing. It would be better to say something like "Cannot read 
ballot." 

Recommendation: Certification should be denied. 

5. USB Port Vulnerability. The ICX ballot¬ 
marking device has an indicator light on top to 
show poll workers when the station is in use. That 
light is connected by a USB port. 

When Brian Mechler's phone was attached to the 
USB port, the ICX scanned the files on his phone 
and did not complain, although Dominion later 
showed that the event was logged. When a USB 
drive with files was inserted, the ICX sometimes 
complained and sometimes did not, apparently 
according to the content of the USB drive and 
whether it was present when the ICX was first 
powered up or inserted later. 

Recommendation: Certification should be denied 
unless either (a) the indicator light is removed from 
the certified configuration or (b) a way is found to 
secure the USB connection to the light. 

Conclusion 

I like the idea of using COTS components to save 
taxpayer money, and Dominion has done a good 
job of finding COTS components and minimizing the number of custom components. 

Nevertheless, I cannot recommend certification. Computer systems should be designed to 
prevent or detect human error whenever possible and minimize the consequences of both 
human mistakes and equipment failure. Instead the Democracy Suite 5.5-A is fragile and error 
prone. In my opinion it should not be certified for use in Texas. 

If certification should be granted, it should be with the condition that all open network and USB 
ports be sealed. 
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